February 2013, 20(1): 58–65 www.sciencedirect.com/science/journal/10058885 http://jcupt.xsw.bupt.cn

The Journal of China Universities of Posts and Telecommunications

Anonymous authentication scheme of trusted mobile terminal under mobile Internet

ZHANG De-dong1, 2 ( ), MA Zhao-feng1, 2, NIU Xin-xin1, 2, Peng Yong3

1. Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. National Engineering Laboratory for Disaster Backup and Recovery,

Beijing University of Posts and Telecommunications, Beijing 100876, China 3. China Information Technology Security Evaluation Center, Beijing 100085, China

Abstract

In order to solve the contradictions between user privacy protection and identity authentication, an anonymous authentication scheme under mobile Internet is proposed, which is based on the direct anonymous attestation of trusted computing and uses the encrypting transfer and signature validation for its implementation. Aiming at two access mode of trusted mobile terminal under mobile Internet, self access and cross-domain access, the authentication process of each mode is described in details. The analysis shows that the scheme implements anonymous authentication on mobile Internet and is correct, controllable and unforgeable.

Keywords trusted platform module, anonymous authentication, strong RSA assumption, remote attestation

1 Introduction

Mobile communications are a rapidly growing segment of the communications industry. It provides high-speed and high-quality information exchange between portable devices located anywhere in the world and has brought us great convenience. However, network security issues are outstanding increasingly. Identity authentication has become one of the key technologies to ensure the security of the mobile internet. The following issues exist in the authentication.

1) Internet service providers (ISP) only allow the authenticated users to access the services. However, mobile users do not want their own confidential information (such as: identity, movement trajectories, Received date: 14-05-2012 Corresponding author: ZHANG De-dong, E-mail: zhdd0411@163.com DOI: 10.1016/S1005-8885(13)60008-4

current position) to be exposed. 2) Even if the user’s identity is legitimate, it does not

mean that the mobile terminal is secure. In some Internet services, such as mobile e-commerce,

they not only need to authenticate the user’s identity, but also authenticate the credibility of the mobile terminal. At present, many anonymous authentication schemes have been proposed. However, majority of the schemes only authenticated the user’s identity, lacking validation of the credibility of mobile terminal in Refs. [1–7]. In Ref. [8], an authentication scheme was proposed which realized the mutual authentication between the trusted mobile terminal and subscriber identity. However, it did not solve the problem that the user and mobile terminal as a whole accessed to network. In Ref. [9], Wu et al. proposed an anonymous authentication scheme, in which the mobile user needed to send temporary public key certificate to foreign agent before each authentication. The

Issue 1 ZHANG De-dong, et al. / Anonymous authentication scheme of trusted mobile terminal under mobile Internet 59

authentication schemes proposed in Refs. [10–11] realized trusted authentication of mobile terminal. However, each access of mobile terminal needed the help of policy decision point (PDP) in Ref. [10] or home agent (HA) [11], which increased the computation of PDP or HA. In Ref. [12], Liu et al. proposed an anonymous authentication scheme which was based on the direct anonymous attestation. However, the scheme was linkable and the trajectory of mobile user could be easily identified.

Based on the direct anonymous attestation, this paper proposes an anonymous authentication scheme. Both user’s identity and mobile terminal’s creditability are authenticated. It meets the demands of identity authentication, creditability validation and privacy protection.

The paper is organized as follows. In Sect. 2, we give an introduction of trusted computing and remote attestation. In Sect. 3, network model of anonymous authentication is proposed. In Sect. 4, we propose an anonymous authentication scheme. The security and performance of the scheme are analyzed in Sect. 5 and some conclusions follow in Sect. 6.

2 Trusted computing and remote attestation

Trusted computing is developed and promoted by the Trusted Computing Group (TCG) [13]. The key of the trusted computing is to embed the trusted platform module (TPM) into terminal equipment to realize credibility validation. TPM includes a secure cryptoprocessor and a hardware pseudo-random number generator. The secure cryptoprocessor is used to store cryptographic keys. TPM contains several terminal configuration registers (PCRs) that store the integrity information of terminal equipment. When the system starts, TPM measures the hardware and software of the terminal equipment and writes the measurement results into PCRs. PCRs’value is used to prove the credibility and integrity of the terminal equipment. TPM can provide multi-group signature key including endorsement key (EK) and attestation identity key (AIK). EK is generated and injected into the TPM by the TPM’s manufacturer and each TPM is associated with a unique EK. Each TPM can

generate multiple AIKs. In the remote attestation, TPM uses the private key of AIK to sign the PCR values to ensure the authenticity of it.

3 Network model of anonymous authentication

As shown in Fig. 1, the model mainly includes trusted certification authority (TCA), policy management (PM), internet service provider (ISP) and mobile terminal (MT). TCA is responsible for issuing digital certificates for each PM. PM is responsible for authenticating the identity of mobile terminal of home network, and issuing the trusted certificate for the mobile terminal. ISP is responsible for providing services for legitimate and credible mobile terminal. MT, embedded TPM, sends the service requests to the network through wireless.

Fig. 1 Network model of anonymous authentication

4 Proposed scheme

4.1 Initialization

The initialization process is described as follows: Step 1 PM generates a modulus of RSA n pq= ,

where 2 1p p′= + , 2 1q q′= + , p , q , p′ , q′ are all

prime numbers. Step 2 PM selects ng RQ′∈ and random integers

, , , , , , z s h gx x x x x k t and calculates mod ,gxg g n′=

mod ,hxh g n′= mod ,sxS h n= mod ,zxZ h n= modxR S n= ,

60 The Journal of China Universities of Posts and Telecommunications 2013

modkM h n= , modtN h n= . Step 3 PM generates random numbers ρ and ,Γ

12 2l lΓΓ Γ− < < , 12 2l lρ ρρ− < < , where lρ stands for the length of ρ , lΓ for the length of Γ . Let 1rΓ ρ= + , and ensure that r cannot be divided evenly by ρ .

Step 4 PM generates random number γ ′ , let *RZΓγ ′∈ ,

( 1) / 1modΓ ργ Γ−′ ≠ , calculate ( 1) / modiΓ ργ γ Γ−′= . Step 5 PM saves private key ( , , , )p q k t′ ′ and issues

public key pub ( , , , , , , , , , , , )P n g g h S Z R M N γ Γ ρ′= in home

network and sends it to TCA. The PMs of each subnet should generate their own public key and private key as above.

Step 6 PM selects random number Px as his private key and computes his public key P

Pxy g ′= .

Step 7 ISP selects random number Ix as his private key and computes his public key I

Ixy g ′= .

Step 8 MT selects random number Mx as his private key and computes his public key M

Mxy g′= . TPM

generates the attestation identity key pair AIK AIK( , )x y according to endorsement key, where AIKy stands for public key and AIKx for private key.

Step 9 TCA generates digital certificate for all the PMs, The certificate’s format is expressed as follow: PMC =

priP pub date P pub date{PM, , , , (PM, , , )}Tx P D E x P D , where dateD

stands for validate of PM’s certificate, priT stands for the private key of TCA and ( )xE stands for encrypting with

the x.

4.2 Registration in the home network

Registration includes two aspects: 1) MT registration. When a new MT joins to the home

network, it sends identity MT to the local PM. PM checks whether the identity belongs to the network or not. If it does, PM generates a random number N, calculates

MTID (MT || ) PMH N= ⊕ as the communication identifier, sends MTID to MT and saves the mapping between MT and MTID .

2) ISP registration. ISP within the local network sends the services which it can provide to the local PM. PM verifies the service, assigns a unique code j in the entire network, issues the code and saves the mapping between

ISP and j.

4.3 Anonymous authentication in the home network

1) Trusted authentication: when MT applies for services for the first time, PM authenticates MT’s identity and issues the trusted certificate to MT.

Step 1 MT sends the creditability information, integrity information, identity information and the required service to PM.

a) TPM generates random number f, calculates modfU R n= and the integrity metric value PCR of the

mobile terminal, gets the AIK certificates AIKC and attribute certificates attC from the certification authority, calculates

AIK AIK att( || || PCR || )xE C C Uδ = and sends

them to MT. b) MT computes msg1 MT AIK att(ID , , ,PCR, , ,M C C U j= )δ and sends it to PM, where j stands for the required

services code. Step 2 PM verifies the creditability and identity of MT,

and issues trusted certificate a) Receiving msg1M , PM decrypts δ with AIKy ,

authenticates the creditability and identity according to MTID , AIKC , attC and PCR, and checks whether the user

has subscribed to the service j and the service is within valid period or not.

b) If MT has subscribed to the service and the service is within valid period, PM generates random number v and prime number 1 1 1[2 ,2 2 ]e e el l le ′− − −∈ + , and calculates

( ) ( )( )date1/

modevS kA Zj US h n= , s ke t= + , where el is

the size of e, dateS is the valid period for accessing the service j, and ( , , )A e s is a trusted certificate of MT for

accessing to the service j. c) PM calculates

Pmsg2 date(( , , ), , )xM E A e s v S= and

sends it to MT. 2) Anonymous authentication: the anonymous mutual

authentication between MT and ISP is done in the phase. It includes signature protocol and validation protocol.

Step 1 Signature protocol a) Receiving msg2M , MT decrypts it with py ,

generates random numbers w, r and calculates 1T = modwAh n , 2 modw e rT g h g n′= .

Issue 1 ZHANG De-dong, et al. / Anonymous authentication scheme of trusted mobile terminal under mobile Internet 61

b) TPM generates random numbers vr , fr , calculates vf

1t modrrT R S n= and sends 1tT to MT. c) MT generates random integers er , ewr , sr , eer , wr ,

rr , err and calculates e ew s1 1 1 modr r r

tT T T h h n−= , 2T = w e r modr r rg h g n′ , e ew ee er

2 2 modr r r rT T g h g n−′ ′= . d) MT generates random number vn , calculates

h v 1= ( || || || || || || || || || || || || || ( ||c H n g g h R S Z M N n Tγ ρ′ Γ

2 1 2 2) || ( || || ))T T T T ′ and sends hc and msg2M to TPM. e) TPM decrypts msg2M with py , checks whether

dateS is expired or not. If dateS is within the validity period, TPM generates random integer tn , calculates

h t( || )c H c n= , v v dates r cvS= + , f fs r cf= + and sends

t v f( , , , )c n s s to MT.

f) MT calculates e 1e e + ( 2 )ls r c e −= − , 2

ee ee +s r ce= ,

w w +s r cw= , ew ew +s r cew= , r r +s r cr= , er er +s r cer= ,

s ss r cs= − , generates signature 1 2(( || ) || ||T T cσ =

v t v f e ew ee er w r s|| || ( , , , , , , , , ))n n s s s s s s s s s and sends σ to

ISP. Step 2 Validation protocol a) Receiving the message σ , ISP calculates:

1ee v s ewf2

1 1ˆ ( ) mod

ls c s s ssc cT Z j T R S h N h n−+ −−=

1ew e r2

2 2ˆ mod

ls ss ccT T g h g n−+− ′=

1e2eew ee er( )

2 2ˆ mod

ls c s s sT T g h g n−+−′ ′=

b) ISP verifies whether or not the equation holds: ( ( || || || || || || || || || || ||c H H n g g h R S Z M N γ Γ′=

v 1 2 1 2 2 tˆ ˆ ˆ|| || ( || ) || ( || || )) || )n T T T T T nρ ′

If it holds, it is convinced that MT holds the trusted certificate issued by the PM, so ISP allows MT to access the service.

3) Fast re-authentication process: within the valid period of service, MT generates the different signature value σ by re-generating random number, which can provide identity anonymity and prevent the tracking of the attacker. The signature protocol and validation protocol of fast re-authentication is similar to that in anonymous authentication.

4.4 Anonymous authentication in the foreign network

Cross-domain service access is divided into two steps in Ref. [14], namely: roaming authentication and service

request. Roaming authentication refers that MT roams to a foreign network and attempts to access to the network. Service request refers that MT has entered into the foreign network and requests to access the service of ISP. Let TD-I and TD-K stand for the different network, PMi , MTi , ISPi for the PM, MT and ISP of TD-I respectively and PMk , MTk , ISPk for the PM, MT and ISP of TD-K respectively. Supposing mobile terminal MTi will apply service of ISPk . The process is described as

follow. 1) Roaming authentication: when MTi roams to the

TD-K network, MTi applies the trusted certificate ( , , )A e s′ ′ ′ for accessing to the TD-K network. He generates signature valueσ ′ and sends ( ,TD-I)σ ′ to PMk . PMk applies for the digital certificate of PMi to obtain

the public key of TD-I, and authenticates the identity and credibility of MTi according to public key of TD-I. The

process is similar to that the anonymous authentication in the home network.

2) Service request: after PMk authenticates the identity and credulity of MTi , it issues the trusted certificate ( , , )A e s′′ ′′ ′′ to MTi for accessing to ISPk . MTi and ISPk can implement the anonymous authentication by using the trusted certificate. ISPk can

authenticate the identity and credibility directly. If authentication is successful, ISPk is convinced that MTi is security, and allows MTi accessing the service. The

process is similar to that in anonymous authentication in the home network.

5 Scheme analyses

5.1 Correctness analysis

The correctness of the scheme is proved by verifying the equations 1 1T̂ T= , 2 2T̂ T= and 2 2T̂ T′ ′= are correct.

1ee v s ewf

e v s ewf

date v e s ewf

v s e ewf

e ew s

21 1

1

1( )

1

1 1

ˆ ( ) mod

( ) mod

( ) mod

mod

m

ls c s s ssc c

r ce s s ssc c

v S s r s rsc cke c

r r c ke t r rr cl cke

r r rt

T Z j T R S h N h n

Z j T R S h N h n

US h R S T h N h n

R S h h h T h n

T T h h

−+ −−

+ −−

−−

− + −

−

= =

=

=

=

1od n T=

62 The Journal of China Universities of Posts and Telecommunications 2013

1ew e r

1ew e r

1ew e r

w e r

22 2

2

( 2 )

2

ˆ mod

( ) mod

mod

mod

l

l

l

s s c sc

s s c sw e r c

s cw s c e s cr

r r r

T T g h g n

g h g g h g n

g h g n

g h g n T

−

−

−

+−

+−

− − − −

′= =

′ ′ =

′ =

′ =

1ee ew ee er

e ew ee er

2e ew ee er

e ew ee er

( 2 )2 2

2 2

2

2 2

ˆ mod

mod

mod

mod

ls c s s s

r s s sce

r s cew s ce s cer

r r r r

T T g h g n

T T g h g n

T g h g n

T g h g n T

−− +

− −

− − − −

−

′ ′= =

′ =

′ =

′ ′=

This shows that the scheme is correct.

5.2 Anonymity analysis

Anonymity includes two characteristics, namely identity anonymity and unlinkability.

1) Identity anonymity: ISP cannot infer the signer’s identity from the signature σ .

2) Unlinkability: given the signatures σ and σ ′ ( σ σ ′≠ ), ISP cannot distinguish whether they are generated by the same signer.

When the user registers in the home network, PM generates the communication identifier MTID for MT.

Only getting the number N can the entity calculate the true identity, so any entity except the user and PM cannot get MT’s identity. In the anonymous authentication, MT uses the different blind factors to make the ( , , )A e s blind and

proves it to ISP by zero-knowledge proof protocol. So ISP couldn’t obtain the detail information about MT. In fast re-authentication, MT generates a different signature σ ′ by re-generating the random numbers. Given the signature

1 2 v t v f e ew ee er w r s(( || ) || || || || ( , , , , , , , , )),T T c n n s s s s s s s s sσ = we can find that all of the elements inσ are generated based on random numbers, so ISP and attackers cannot distinguish whether or not these different signatures are generated by the same MT. So the scheme possesses the properties of anonymity.

5.3 Controllability analysis

In the proposed scheme, controllability refers to that MT can only access the required service within the validity period according to the trusted certificate ( , , )A e s .

Proof Assume that the MT with the trusted certificate ( , , )A e s want to access the service j′ over the validity

period, where j j′ ≠ . MT calculates 1T , 2T , 1T , 2T ,

2T ′ and hc as usual, and sends hc to TPM. TPM checks whether dateS has expired or not. If dateS has expired, TPM does not calculate c, t ,n vs , fs . As f fs r cf= +

includes the secret number f, MT can only solve f through U. However, MT cannot solve f through U under the strong RSA assumption. Therefore, MT cannot generate signature correctly. Even If dateS is within the validity period, MT cannot generate the signature for access the service j′ . When dateS is within the validity period checks, TPM calculates c, tn , vs , fs and sends them to MT. MT calculates es , ews , ees , ers , ws , rs , ss and the

signature 1 2 v t v f e ew ee er w r s(( || ) || || || || ( , , , , , , , , ))T T c n n s s s s s s s s sσ =

and then sends σ to ISP′ . ISP′ calculates: 1e

e v s ewf

date v e s ewf

e ew s

21 1

1

1 1 1

ˆ ( ) mod

( ) mod

mod

ls c s s ssc c

cv S s r s rsc ct cke c

cr r r

t

T Z j T R S h N h n

jUS h h R S N T h h nj

jT T h h n Tj

−+ −−

−−

−

′= =

⎛ ⎞ =⎜ ⎟′⎝ ⎠

⎛ ⎞ ≠⎜ ⎟′⎝ ⎠

v( (( || || || || || || || || || || || || ||c H H n g g h R S Z M N nγ Γ ρ′≠

1 2 1 2 2 tˆ ˆ ˆ( || ) || ( || || )) || )T T T T T n′ , validation fails. So mobile

terminal can only access the required service within the validity period according to the trusted certificate ( , , )A e s .

5.4 Unforgeability analysis

Unforgeability includes two aspects: 1) The attacker cannot forge the trusted certificate

( , , )A e s . 2) The attacker having the trusted certificate ( , , )A e s

cannot generate the signature on behalf of MT. Proof In order to forge the trusted certificate ( , , )A e s ,

the attacker has to know ( , )k t to calculate A and s. However, ( , )k t is the private key of PM. Assume the attacker forge ( , )k t′ ′ and generates the trusted certificate ( , , )A e s′ ′ ′ and sends them to MT, where

( ) ( )( )date1/

modev S kA Z j US h n′

′= and s k e t′ ′ ′ ′= + . MT

Issue 1 ZHANG De-dong, et al. / Anonymous authentication scheme of trusted mobile terminal under mobile Internet 63

and TPM generate some random numbers, calculates es ,

ews , ees , ers , ws , rs , ss , generates the signature

1 2 v t v f e ew ee er w r s( || ) || || || || ( , , , , , , , , )T T c n n s s s s s s s s sσ = and

sends it to ISP. ISP calculates 1e

e v s ewf

e v s ewf

v s e ewf

e ew s

21 1

1( )

1

( )1 1 1

ˆ ( ) mod

( ) mod

mod

mod

ls c s s ssc c

r ce s s ssc c

r r c k e t r rr ct ck e

r r r c t tt

T Z j T R S h N h n

Z j T R S h N h n

R S h h h T h n

T T h h h n T

− ′+ −−

+ −−

′ ′′ ′ − + −

′− −

= =

=

=

≠

v( ( || || || || || || || || || || || || ||c H H n g g h R S Z M N nγ Γ ρ′≠

1 2 1 2 2 tˆ ˆ ˆ( || ) || ( || || )) || )T T T T T n′ , validation fails. The attacker

cannot solve it according to the public key ( , )M N too,

otherwise it contradicts the strong RSA assumption. So the attacker cannot forge the trusted certificate ( , , )A e s

correctly. The attacker having the trusted certificate ( , , )A e s cannot generate the signature correctly too and

the proof is similar to the proof of controllability. So the scheme satisfies unforgeability.

5.5 Performance analysis

5.5.1 Safety function analysis

We compare our scheme with other anonymous authentication scheme in safety function. The results are shown in Table 1, where Y refers to having the function and N refers to not having the function.

Table 1 Safety function analysis

Scheme Safety function Li et al.’s scheme

in Ref. [6] Wu et al.’s scheme

in Ref. [10] Yang et al.’s scheme

in Ref. [11] Liu et al.’s scheme

in Ref. [12] Our scheme

User anonymity Y Y Y Y Y

Mutual authentication Y Y Y Y Y

Terminal credibility validation N Y Y N Y

Domain separation N Y Y N Y

Roaming authentication N Y Y N Y

Direct anonymous attestation N N N Y Y

Based on the data in Table 1, compared with traditional anonymous authentication scheme [6], our scheme not only realizes the basic security requirement (such as: user anonymity, mutual authentication), but also increases the functions of credibility validation and roaming authentication, which can protect ISP from the security threats. Compared with Wu et al.’s scheme [10] and Yang et al.’s scheme [11], our scheme increases the function of terminal direct anonymity attestation, which can resist the collusive attack from PM and ISP. Compared with Liu et al.’s [12] scheme, our scheme realizes the functions of credibility validation, domain separation and roaming authentication, which is more in line with the actual situation of mobile internet. In short, compared with the existing schemes, the proposed scheme

has more safety function and provides a high level of security.

5.5.2 Computing performance analysis

We only compare the proposed scheme with that of Liu et al. [12] from efficiency because these two schemes are both based on direct anonymous attestation protocol. The results are shown in Table 2, where H stands for Hash operation, EK for asymmetric encryption operation, DK for asymmetric decryption operation, Gn for mod n operation and Gm

n for mod n operation of product of

m-exponential operation.

64 The Journal of China Universities of Posts and Telecommunications 2013

Table 2 Computing performance analysis

Scheme Calculation

Liu et al.’s scheme in Ref. [12] Our scheme

PM’s calculation EK+3DK+3H+m GΓ + 2GΓ + 2Gn + 4Gn DK+EK+ 3Gn

MT’s calculation DK+3EK+4H+ 2GΓ + Gn + 22Gn + 32Gn + 4nG EK+DK+H+ Gn +2 3Gn +2 4Gn

TPM’s calculation H+ 6GΓ +3 3Gn DK+H+ 2Gn

ISP’s calculation 3H+ 22GΓ + 42Gn + 6Gn + Gm Γ 2H+2 4Gn + 7Gn

Based on the data in Table 2, this scheme reduces

anonymous authentication between MT and PM of home network, which is more in line with the actual situation of mobile internet and reduces some computations. In addition, as MT applies for the trusted certificate from PM, PM has verified the credibility and identity of MT. Only verified, PM can issue the trusted certificate to MT, so PM and ISP do not need to check whether MT is in their fraud lists, which can reduce Gm Γ computations. In a word, this

scheme has a higher efficiency and meets the need for services access of mobile terminal under mobile internet.

5.6 Experiment results

We realize the function of the scheme using Visual C++ and OpenSSL to test the efficiency. The test environment was three PCs with i3 2 350 M CPU, 2 GB DDR3 memory, and Windows 7 operating system. We use the three PCs to simulate the PM, ISP and MT respectively and select four groups of users. Each group has Nτ users, where

1 10N = , 2 80N = , 3 600N = , 4 5000N = .

In a period of time, MT needs to apply only once for the service, so the access efficiency of MT cannot be considered. A large number of users may apply the services from ISP at the same time, so the response efficiency of ISP is measured in the experiment. We test the response efficiency of ISP using the four groups of users. In the first case, the users access ISP directly. In the second case, the users access ISP using the proposed scheme. The users in each group access the ISP in the same time. The results are summarized in Fig. 2. In Fig. 2 the horizontal axis stands for the group users; the vertical axis stands for response time of accessing services. Curve 1 stands for the experiment results of the first case. Curve 2 stands for the experiment results of the second

case.

Fig. 2 Experiment results of response time

As shown in Fig. 2, with the number of users increasing, the response efficiency has not fallen significantly. In the second case, the users access ISP using the proposed scheme. It realizes mutual authentication between MT and ISP, while it incurs a minor increase in response time. So the scheme is suitable for anonymous authentication of wireless network.

6 Conclusions

Anonymous authentication technology is an important means of privacy protection in the mobile Internet. A trusted and anonymous authentication scheme is proposed in the paper. It solves the contradictions between user privacy protection and identity authentication. When the ISP provides the services for the mobile terminal, it can authenticate the user’s identity and terminal’s creditability without revealing detail information about mobile terminal both in home network and foreign network. The trusted certificate applied by MT can be used until it expires, which reduces the calculation of PM. In conclusion, the scheme is in line with the actual situation of mobile internet communications, meets the requirements of

Issue 1 ZHANG De-dong, et al. / Anonymous authentication scheme of trusted mobile terminal under mobile Internet 65

privacy protection and identity authentication, so it is suitable for anonymous authentication of wireless network and mobile Internet.

Acknowledgements

This work was supported by the National Natural Science

Foundation of China (60803157, 90812001, 61170271).

References

1. He Q, Wu D P, Khosla P. The quest for personal control over mobile location privacy. IEEE Communications Magazine, 2004, 42(5): 130−136

2. Tang C, Wu D O. An efficient mobile authentication scheme for wireless networks. IEEE Transactions on Wireless Communications, 2008, 7(4): 1408−1416

3. Zhu H, Li H, Su W L, et al. ID-based wireless authentication scheme with anonymity. Journal on Communications, 2009, 30(4): 130−136 (in Chinese)

4. Fu J Q, Chen J, Fan R, et al. An efficient delegation-based anonymous authentication protocol. Proceedings of the 2nd International Workshop on Computer Science and Engineering (WCSE’09): Vol 1, Oct 28−30, 2009, Qingdao, China. Piscataway, NJ, USA: IEEE, 2009: 558−562

5. Chen T H, Chen Y C, Shin W K, et al. An efficient anonymous authentication protocol for mobile pay-TV. Journal of Network and Computer Applications, 2011, 34(4): 1131−1137

6. Li K, Xiu A N, He F, et al. Anonymous authentication with unlinkability for

wireless environments. IEICE Electronics Express, 2011, 8(8): 536−541 7. Mun H, Han K, Lee Y S, et al. Enhanced secure anonymous authentication

scheme for roaming service in global mobility networks. Mathematical and Computer Modelling, 2012, 55(1): 214−222

8. Zheng Y, He D K, He M X. Trusted computing based user authentication for mobile equipment. Chinese Journal of Computers, 2006, 29(8): 1255−1264 (in Chinese)

9. Wu C C, Lee W B, Tsaur W J. A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters, 2008, 12(10): 722−723

10. Wu Z Q, Zhou Y W, Qiao Z R. Access mechanism of PMP under mobile network. Journal on Communications, 2010, 31(10): 158−169 (in Chinese)

11. Yang L, Ma J F, Pei Q Q, et al. Direct anonymous authentication scheme for wireless networks under trusted computing, Journal on Communications, 2010, 31(8): 98−104 (in Chinese)

12. Liu J Y, Gu L Z, Luo S S, et al. Anonymous authentication scheme for mobile communication. Journal of Xidian University, 2011, 38(1): 176−183 (in Chinese)

13. Brickell E, Li J T. Enhanced privacy ID: A direct anonymous attestation scheme with enhanced revocation capabilities. IEEE Transactions on Dependable and Secure Computing, 2012, 9(3): 345−360

14. Kim H, Shin K G, Dabbous W. Improving cross-domain authentication over wireless local area networks. Proceedings of the 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm’05), Sep 5−9, 2005, Athens Greece. Piscataway, NJ, USA: IEEE, 2005: 127−138

(Editor: WANG Xu-ying)